COMMAND

    kernel

SYSTEMS AFFECTED

    Win2000 Terminal Server

PROBLEM

    Alex Gubin  found following.   He had  the following  problem with
    Windows 2000 Advanced Server in  TS mode: when "Logon to  Terminal
    Server" right  is revoked  from Administrator  account, all  users
    are denied interactive  logon on system  console.  He  reinstalled
    Windows and it still holds.

   The procedure to reproduce it is generally as follows:

        1. Install Windows 2000 Advanced Server (2195)
        2. Install both  Terminal Services (Application  mode, Windows
           2000 permission mode) and Terminal Services Licensing.
        3. Rename  the administrator  account (I  dont know  if it  is
           significant or not)
        4. Open  "Local  Users  and  Groups"  in  MMC,  select  admin,
           RightClick->Properties,   "Terminal   Services    Profile",
           uncheck "Allow logon to terminal server".
        5. Reboot (you can still log on/off until reboot)

    After reboot,  any user  attempting to  log on  to console gets an
    error "Your interactive logon privilege has been disabled,  please
    contact  your  system  administrator".   Security  event log still
    shows "Logon Successful" (Uhm...).  Anyone can still connect/logon
    normally from Terminal Server session.

    Kevin M. Materna confirmed it.  He had tested Windows 2000  Server
    with  Terminal  Services  in  Administration  Mode only.  Terminal
    Services Licensing  service is  NOT installed.   The administrator
    account is  NOT renamed.   The Administrator  account's "Logon  to
    Terminal Server" right is revoked.  After the server is restarted,
    no  user  (domain  or  local)  is  able  to logon on locally.  The
    following error message occurs: "Your interactive logon  privilege
    has been disabled..." However, accounts  are still able to log  on
    via remote terminal client.

    Now for the  strange part.   After logging on  via remote terminal
    access, he  simply restarted  the server.   He did  NOT  re-enable
    "Logon to  Terminal Server"  right.   When the  server came up, he
    was able  to log  on locally.   Occasionally after  restarting the
    server, this problem will occur again.

SOLUTION

    The  problem  ceases  after  re-enabling  the  "Logon  to Terminal
    Server" right for the local Administrator.

    Microsoft  does  have  this  listed  as  a  known bug.  The fix is
    Q258067,  which  will  be  included  in  SP1.   The  fix  above is
    TEMPORARY -  trust me,  the problem  will come  back to  haunt you
    when you least expect it.

    According to Microsoft, the fix will be incorporated into SP1.